Security
Headlines
HeadlinesLatestCVEs

Tag

#js

CVE-2022-41385: d8s-html

The d8s-html package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-urls package. The affected version is 0.1.0.

CVE
Open in Source
#js#git#backdoor
GHSA-9pgh-qqpf-7wqj: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom

### Impact A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3. ### Patches Update to `@xmldom/xmldom@0.8.3` or higher or to `@xmldom/xmldom@0.9.0-beta.2` or higher if you are on the dist-tag `next`. ### Workarounds No, if you can not update to v0.8.3, please let us know, we would be able to also provide a patch update for version 0.7.x if required. ### References https://github.com/xmldom/xmldom/pull/437 ### For more information If you have any questions or comments about this advisory: * Email us at security@xmldom.org * Add information to https://github.com/xmldom/xmldom/issue/436

CVE-2021-36915: Profile Builder – User Profile & User Registration Forms

Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder plugin <= 3.6.0 at WordPress allows uploading the JSON file and updating the options. Requires Import and Export add-on.

CVE-2022-37609: js-beautify/options.js at 6fa891e982cc3d615eed9a1a20a4fc50721bff16 · beautify-web/js-beautify

Prototype pollution vulnerability in beautify-web js-beautify 1.13.7 via the name variable in options.js.

CVE-2022-37599: loader-utils/interpolateName.js at d9f4e23cf411d8556f8bac2d3bf05a6e0103b568 · webpack/loader-utils

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.

Critical Open Source vm2 Sandbox Escape Bug Affects Millions

Attackers could exploit the "Sandbreak" security bug, which has earned a 10 out of 10 on the CVSS scale, to execute a sandbox escape, achieve RCE, and run shell commands on a hosting machine.

CVE-2021-36899: Asset CleanUp: Page Speed Booster

Authenticated (admin+) Reflected Cross-Site Scripting (XSS) vulnerability in Gabe Livan's Asset CleanUp: Page Speed Booster plugin <= 1.3.8.4 at WordPress.

CVE-2022-41376: Metro UI v4.4.0 Components Library Reflected XSS Injection

Metro UI v4.4.0 to v4.5.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Javascript function.

Red Hat Security Advisory 2022-6855-01

Red Hat Security Advisory 2022-6855-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include buffer overflow, denial of service, double free, and spoofing vulnerabilities.

Red Hat Security Advisory 2022-6856-01

Red Hat Security Advisory 2022-6856-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include buffer overflow, denial of service, and spoofing vulnerabilities.